On 29 December 2017, the National Information Security Standardization Technical Committee (TC 260), which is jointly administered by the Cyberspace Administration of China and the Standardization Administration of China, issued the Information Security Technology – Personal Information Security Specifications, which will take effect 1 May 2018.
The standard marks another step in China's efforts to develop a comprehensive data protection regime, with significant implications for cross-border interoperability.
Key aspects of the standard include:
• Clarifying the rights of personal data subjects and requiring a higher level of protection for "personal sensitive information" than for ordinary "personal information".
• Requiring data controllers to obtain "explicit consent", that is, written consent or other affirmative action by a personal data subject, such as electronically clicking to consent, before collecting and using personal sensitive information.
• Requiring network operators to notify regulators and affected individuals of security incidents involving an actual or potential leak, damage or loss of personal information.
• Obligating data controllers to carry out security assessments of third-party data processors, and to adhere to a set of general principles when processing personal information.
The standard is recommended, as opposed to mandatory, but government agencies often refer to recommended standards when evaluating compliance with broadly phrased laws and regulations.